BluegrassNet Shared Hosting and Backup Policy
Posted by John Roberts, Last modified by John Roberts on 28 December 2016 02:07 PM
*This applies to any shared environment on any network BluegrassNet places its clients. This also includes any web hosting script, opensource, paid or custom developed and placed on said shared hosting environments.
The purpose of this stated policy is to make clear to all BluegrassNet customers the difference between what we (as an ISP), and you (as the customer), are responsible for in regards to the ongoing maintenance of your WordPress website ( or any other website ) that is hosted at BluegrassNet. We are surprised by how many people were unaware of some basic WordPress operating requirements and best practices. It is important that everyone, especially the web developers and their paying customers, understand what is really required in maintaining a website built in this framework. [note: this applies to other frameworks such as Drupal, Joomla, and like-kind platforms as well]
It is the responsibility of the Website Developer and the customer paying BluegrassNet for hosting, to make sure that WordPress ( or any other webhosting script) updates are being followed up on in a timely manner. In the event that they are not, and an exploit takes place, BluegrassNet will attempt to help, but bares no responsibility for rebuilding the website or restoring it. Oftentimes, if proper procedures are followed by the developer or client, timely and inexpensive recovery of a website copy is possible. However, if the procedures have not been followed up on, any assistance rendered by BluegrassNet technicians may entail additional charges for consulting work.
This includes “back-up” settings in the cPanel itself. You as the account holder, have the power to initiate or terminate automatic backups. BluegrassNet does not bear responsibility if the back-ups are turned off. Please make sure the setting is to your requirements.
Specific Example of What Can Happen if this is ignored:
In the spirit of informing you what can happen when WordPress updates are not followed up on, we give you the example of a large hack that effected certain BluegrassNet WordPress customers, as well as tens of thousands of WordPress websites worldwide in May of 2015: hackers used a Word Press function called XML-RPC (http://en.wikipedia.org/wiki/XML-RPC) to enter a site and replace legitimate content with whatever they put up there. They did it by exploiting a feature in Word Press that allows a programmer to inject requests to the WordPress software, and these requests in turn change the homepage content to what they wanted. The server was not hacked, this had nothing to do with the server, it was entirely the webpage that was uploaded to the server. In this case, websites using the WordPress feature called XML-RPC. While some WordPress sites were compromised, hundreds of other websites, including some WordPress sites, were unaffected. Why did yours get hit? It was just the luck of the draw, no particular reason, it appears they randomly chose about 20 sites and that was it.
What did BluegrassNet do to rectify the situation when this happened? First off, BluegrassNet keeps backups of the sites / cPanel servers. We had to spend significant amount of resources (time) to get about 20 websites back up and running. We know that the time that it took frustrated some people, because they’re under the impression that we “hit a button” and everything is back up. That is not the case, it is a little more involved than that. If an end users was using the cPanel Backup Feature the restore process would have taken significantly less time. The good news is that we eventually got everyone taken care of this time around.
The Scope and Importance of this Issue:
To reiterate: this is not only a BluegrassNet issue, this has been going on around the world. Here is a link to a story about some other hosters that were hit in the same way over the past year: http://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html . You can read about it at your leisure. Some of the numbers of WordPress sites hit by this are staggering. The bigger issue is “whose responsibility is it to make sure this stuff doesn’t happen”. In this case, it is your team’s responsibility to make sure the software they are using is protected. They can do this by learning to run the cpanel management system properly, so that backups are indeed taking place, and just as important learn how to maintain and process WordPress update and management procedures ( we have listed some of those at the end of the email). There are also settings available in every cPanel account that allow you to do backups of your site on our cPanel server as well as download it to your machine at your place. BluegrassNet strongly encourage your team to get familiar with these features. If they need help, please have them call in to tech support. What is BluegrassNet’s responsibility? To make sure that the servers are protected from hacking and the network is up and running. It is not our responsibility to update your WordPress environment unless you contract us to do so.
How can someone avoid this in the future? Ultimately, it is the responsibility of the person running the website to do the Word Press updates. This is usually the role of your webpage developer or someone in your IT department. If you don’t have anyone to do it for you, BluegrassNet does offer paid managed services to maintain your WordPress environment. The amount we would charge for this varies depending the complexity of your site. BluegrassNet would provide a competitive price structure to all existing customers in need of the service. Customers who are interested in this service can call in and ask for John Roberts or Norman Schippert for a quote.
In summary, I am asking you to keep your WordPress updates current. BluegrassNet is not responsible for the content of your website in the sense of maintaining it, repairing it, and doing your updates for you. In the May 2015 Event BluegrassNet did not charging anyone to restore their sites, however, in the future, we may ask for some type of hourly fee to restore your site. If you need help maintaining your website, we can help, but we have to charge something. If you are trying to save money, please have your team learn how to do it. We thank you for the business over the years, and appreciate you choosing BluegrassNet for your hosting and programming needs. Our Front end tech support is available Monday-Friday 7am-7pm. Saturday 10am-6pm, closed sunday
WordPress Suggestions if you think your site has been Hacked
Information for Advanced users and WordPress Administrators
Ebook: “ Locking Down Wordpress.”